Elevation PowerToys for Windows - All Comments

re: UAC, Logon Scripts, and the Launchapp.wsf workaround

Antony Iadarola — Wed, 05 Sep 2012 15:58:00 GMT

Changing your GPO Login script to Inject directly into registry seems to work without this messing about.

Example:

$sLetter = "K"

$sUNC = "\\Server1\MyServer"

New-Item -Path Registry::HKCU\Network\$sLetter

New-ItemProperty -Path Registry::HKCU\Network\$sLetter -Name "RemotePath" -PropertyType String -Value $sUNC

New-ItemProperty -Path Registry::HKCU\Network\$sLetter -Name "UserName" -PropertyType String -Value ""

New-ItemProperty -Path Registry::HKCU\Network\$sLetter -Name "ProviderName" -PropertyType String -Value "Microsoft Windows Network"

New-ItemProperty -Path Registry::HKCU\Network\$sLetter -Name "ProviderType" -PropertyType Dword -Value 0x00020000

New-ItemProperty -Path Registry::HKCU\Network\$sLetter -Name "ConnectionType" -PropertyType Dword -Value 0x00000002

New-ItemProperty -Path Registry::HKCU\Network\$sLetter -Name "DeferFlags" -PropertyType Dword -Value 0x00000004

re: PowerShell Script to Create a Sysinternals Suite INF File Installer

mine_studio — Tue, 19 Jun 2012 17:37:15 GMT

Thank you, Michael. This script is great!

However, due to minor specification changes on the server this script has become unusable, I made a patch.

--- New-SysinternalsSuiteInstaller.ps1 Wed Jun 20 02:07:06 2012

+++ New-SysinternalsSuiteInstaller.new.ps1 Wed Jun 20 02:07:18 2012

@@ -59,7 +59,7 @@

$invocation = (Get-Variable MyInvocation -Scope 0).Value

$scriptPath = Split-Path $Invocation.MyCommand.Path

-$uriZipFile = "download.sysinternals.com/.../SysinternalsSuite.zip"

+$uriZipFile = "download.sysinternals.com/.../SysinternalsSuite.zip"

$uriWebPage = "technet.microsoft.com/.../bb842062.aspx"

$regexPattern = "<p>Updated: (.+?)<\/p>"

$userAgent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705;)"

re: PowerShell Script to Create a Sysinternals Suite INF File Installer

ILYA [ sie ] Sazonov — Sat, 21 Jan 2012 16:45:22 GMT

Thanks for great script! And cosmetic fix: please replace "`n" with "`r`n"

re: Creating a Self-Elevating Script

Michael Murgolo — Wed, 09 Nov 2011 16:23:00 GMT

Chew Toy

The designers of Windows User Account Control expressly decided not to incorporate functionality like setuid/suid or sudo. This post explains why: blogs.msdn.com/.../faq-why-can-t-i-bypass-the-uac-prompt.aspx.

Michael Murgolo

re: Elevation PowerToys for the Windows PowerShell Integrated Scripting Environment (ISE)

Ivan Dretvic — Tue, 08 Nov 2011 03:50:57 GMT

Hi Michael,

I think i know your solution to your quotes stipping issue: If you use %~s1 to pipe the path to Powershell you wont need quotes.

--------------------------

Substitution of batch parameters (%n) has been enhanced. You can

now use the following optional syntax:

%~1 - expands %1 removing any surrounding quotes (")

%~f1 - expands %1 to a fully qualified path name

%~d1 - expands %1 to a drive letter only

%~p1 - expands %1 to a path only

%~n1 - expands %1 to a file name only

%~x1 - expands %1 to a file extension only

%~s1 - expanded path contains short names only

%~a1 - expands %1 to file attributes

%~t1 - expands %1 to date/time of file

%~z1 - expands %1 to size of file

%~$PATH:1 - searches the directories listed in the PATH

environment variable and expands %1 to the fully

qualified name of the first one found. If the

environment variable name is not defined or the

file is not found by the search, then this

modifier expands to the empty string

The modifiers can be combined to get compound results:

%~dp1 - expands %1 to a drive letter and path only

%~nx1 - expands %1 to a file name and extension only

%~dp$PATH:1 - searches the directories listed in the PATH

environment variable for %1 and expands to the

drive letter and path of the first one found.

Hope that helps.

Ivan

P.S. I would love your help with something - ivan.dretvich.com/2011/06/how-to-run-domain-admin-tasks-without-being-logged-in-as-an-administrator/

I use Elevation PowerToy (which i have modded) and am having issues with the quotes myself. Basically the util adds a Run as %username% context menu which then in turn runs RUNAS.exe elevate.bat %* %1 etc... however if my variables have quotes in them, the RUNAS flips and links dont work (Powershell so far is the only culprit for this) - any help appreciated.

re: Creating a Self-Elevating Script

Chew Toy — Mon, 07 Nov 2011 22:46:01 GMT

This is great...but... I still long for sudo.

I landed here looking for a windows way to do the equivalent of sudo on Windows, and while this contains lots of great info on how to do *part* of what sudo does (allowing an admin to run without elevated privs and elevate only when needed), it misses the original purpose of sudo, which was to allow SOMEONE ELSE (not an admin) to run a SPECIFIC command (one owned and vetted for security by the admin) with admin privs.

What we're still missing is a trustworthy way of letting a non-admin user run only specific commands with admin privileges.

For example, at the moment I want to allow a particular non-admin user to run a bat file (or powershell/vb/wsh/whatever) as an admin without letting that user do anything else as an admin. In this specific case the user needs to modify a config file and restart a service, but the user shouldn't be able to do any other admin action.

Using sudo on Unix, I would just create a root-owned script (so the user can't change it), then configure sudo to allow the user to run that specific script. This would take only a few minutes -- it's a really common activity on Unix systems, letting root users allow a non-root user to run a specific script to do only what they need to do without bothering root or waiting for root.

So far the closest thing I've found (other a few obviously weak sudo clones) would be to set a scheduled task to run as admin, and have that scheduled task look for some kind of signal that it should actually do something. For example, a powershell script could look for "c:\users\bob\flags\run_once4me.txt" and only proceed if the file is found. This way the user would have no influence over the steps run by the scheduled task -- he would only be able to cause the script to go or not go. That's what sudo allows.

I'm not looking for an answer to this comment -- but I confess to hoping against hope that I'll inspire you to figure out a way to do this gracefully on Windows. ;-)

re: UAC, Logon Scripts, and the Launchapp.wsf workaround

Michael Murgolo — Fri, 17 Dec 2010 15:55:22 GMT

Tim Bernhardson,

I was just looking at MSDN and you may also have to set the userid for the trigger as well. So you may need this additional change.

Change this:

Set trigger = triggers.Create(TriggerTypeRegistration)

To this:

Set trigger = triggers.Create(TriggerTypeRegistration)
trigger.UserId = strNTUserPath

Let me know how it goes.

Michael Murgolo

re: UAC, Logon Scripts, and the Launchapp.wsf workaround

Michael Murgolo — Fri, 17 Dec 2010 15:22:14 GMT

Tim Bernhardson,

Perhaps making the task name user-specific will help for the terminal services scenario. Try the following change and let me know if it works. If it does I'll change the download.

Change this:

strTaskName = "Launch App As Interactive User"

to this:

    Set objWshNetwork = CreateObject("Wscript.Network")
    strUser = objWshNetwork.UserName
    strDomain = objWshNetwork.UserDomain
    strNTUserPath = strDomain & "\" & strUser
    strTaskName = "Launch App As Interactive User - " & strNTUserPath

Thanks,

Michael Murgolo

re: UAC, Logon Scripts, and the Launchapp.wsf workaround

Tim Bernhardson — Fri, 03 Dec 2010 16:20:22 GMT

Works fine on single user computers, however on Servers ( I.E. Terminal Services ) it only works for the first session for Administrative users - the scheduled task always runs in the first session so if you have multiple sessions on the server only the first one gets the maps...

Any idea of a work around?

re: PowerShell Script to Create a Sysinternals Suite INF File Installer

Chris Sagovac — Sun, 31 Oct 2010 12:05:44 GMT

Thank you, Michael, your script is exactly what I had in mind!